Android Application Decompilation

I assume you already have application installable .apk file saved onto your local drive (If not, please refer to my last post). In simpler terms, decompilation is the method to view application files. Steps for application decompilation are:

Rename your application file from .apk to .zip or .rar
Extract the zipped file to view application files

Files of interest are:

AndroidManifest.xml - Contains application permission, configuration settings, filters, service settings. Look for application permission or any external service call. More information can be found here.
Classes.dex – Contains application source code i.e. class files, java files, xml files, etc. Look for business logic implementation, encryption/decryption logic, hard-coded credentials, test data.

There are high chances of AndroidManifest.xml file being encoded, so you need to decode it using a third party tool before you can actually view it. Download AXMLPrinter2.jar utility from here. Below are the steps to decode AndroidManifest.xml file:

You should now be able to view your application AndroidManifest.xml in cleartext.
Another method to inspect AndroidManifest.xml file is to download and install Manifest Explorerapplication on to your android device as shown:

The next step is to decompile the classes.d
ex file. This is the most important file to inspect from security point of view. Here’s how you can decompile it:

Download a third party tool named dex2jar from here
Below is the command to convert dex file to jar:

Locate the created jar file and rename it to rar or zip
Extract the zipped file and view class files using your favourite java decompiler

‍Database Inspection

The objective of this test is to look for sensitive information stored in application database. There are high chances of getting the user credentials in cleartext or sensitive information like user financial details, SSN numbers, etc. Android stores all application-related files under /data/data folder. You can access those files from adb.exe using the below commands:

adb devices – List of connected devices will be shown
adb shell su cd /data/data/ ls Look for your application folder cd com.android.applicationname ls

Application database files will be stored in databases folder. To view database file, we need to use sqllite3 utility which comes along with SDK toolkit. Here’s how you can view them:

sqllite3 /data/data/com.android.applicationname/databases/databasename .table – List all database tables select * from user_id;

I will cover more application specific attacks and tool list which are essential from pentest perspective in my next post.

Happy Reading!!!

Share this post